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© Redundant networked database system. 

© A Redundant Networked Database System is 
taught. Briefly stated, Control System Computers are 
designated for primary and backup database opera- 
tion with applications being inputable to either pri- 
mary or backup. Upon changes to the database, the 
primary and backup communication agents commu- 
nicate with each other and to automatically update 
the backup. In this fashion, the primary and backup 
databases are automatically synchronized without 
manual intervention or the need for reinputting of the 
changes to the backup database. 
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FIELD OF THE INVENTION 

This invention relates, generally, to control sys- 
tems and more particularly to a control system 
having automatic database redundancy. 

BACKGROUND OF THE INVENTION 

It Is known that the use of computers in a 
manufacturing environment is increasing at an ever 
accelerating rate. Whereas it was previously com- 
mon to install one or two computers which inter- 
acted with remote peripheral sensors and the like, 
there is an increasing tendency to utilize comput- 
ers, generally in the form of microprocessors, as 
close as possible to the events or environment 
being sampled or controlled. 

Accordingly, along with this proliferation of 
computers there is now the need to network them 
so as to form a distributed control system. One 
distinct advantage with distributed processing is 
the desirability and ability to switch to a backup 
when, for example, the network or a primary com- 
puter goes down or malfunctions. 

It is therefore important to have as much in- 
formation on the secondary computer as the pri- 
mary so that it can generally perform its function 
without interruption. Unfortunately, with the increas- 
ing use of computers, changes are made to the 
system on a much more pervasive and frequent 
basis. 

Heretofore, backup databases, those databases 
which were used in the event of a primary system 
failure, were run in synchronization with essentially 
identical equipment running both copies in similar 
environments. Modifications to one database how- 
ever, generally had to be made to the other 
databases and required at least some manual inter- 
vention. Accordingly, this required that all modifica- 
tions had to be done at least twice. This is particu- 
larly problematic when complex modifications need 
to be done which thereby results in tedious 
duplicative work. Moreover, the chance of an error 
or discrepancy between the backup and primary 
databases was greatly increased. 

There are a number of schemes which have 
tried to manage a network type system. One such 
example may be founded in U.S. Patent No. 
5,093,782 "Real Time Event Driven Database Man- 
agement System" to Muraski et. al., issued March 
3, 1992 which attempts to speed up and simplify a 
database system. However, these systems gen- 
erally require specialized hardware, unique archi- 
tecture and the like and are therefore generally not 
"retrofitable" to existing systems. 

Accordingly, it is advantageous and an object 
of the present invention to keep primary and bac- 
kup databases synchronized without manual inter- 



vention. It is also desirable and yet another object 
of the present invention to produce a system which 
allows for hardware or network failure by one por- 
tion of the system without affecting the remaining 

5 portions. 

It is still a further object of the present inven- 
tion and is also desirable to produce a system 
which effectively allows for two or more different 
computers to have effectively identical databases 

70 while still allowing for communication between the 
two. 

Still a further object of the present invention is 
to produce a redundant system which makes the 
backup database invisible or transparent to the 
rs user and which automatically accomplishes syn- 
chronization without any special effort on the part 
of the user. 

It is also advantageous and another object of 
the present invention to produce a redundant net- 

20 work database system, comprising at least two 
computers, a communication link disposed be- 
tween them so as to allow communication between 
the two computers and a means for sensing a 
change to a database and producing an indication 

25 thereof and a communications means for sensing 
the indication produced by the first means whereby 
the communication means updates the database of 
the remaining at least two computers. 

30 DESCRIPTION OF THE DRAWINGS 

Reference may be now had to accompany 
drawings in which: 

Figure 1 is a block diagram of the network as 
35 envisioned by the present invention; and 

Figures 2 and 3 are State diagrams of the 
Primary and Backup Communications Agent, re- 
spectively, of the present invention. 

40 DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

Referring now to Figure 1 there is shown a 
block or function diagram of the present invention. 

45 It is to be understood that in the preferred embodi- 
ment of the present invention the within commu- 
nication database is used in conjunction with a 
Networked Control System although it is to be 
understood that other types of networks may be 

so utilized without departing from the spirit and scope 
of the present invention. Such other types of net- 
works may be, for example, computers on a local 
area network. 

Here there is shown the preferred embodiment 

55 using two computers each of which incorporates a 
Primary Database and a Communications Agent. It 
is to be understood that although only two comput- 
ers are shown for ease of understanding and il- 
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lustration purposes, more computers may be used. 
Accordingly, a network would encompass substan- 
tially more computers although they would operate 
substantially identical to the manner described be- 
low. Shown is the Primary Database having a Com- 
munications Agent (as described more fully below) 
integrated therewith and a Backup Database also 
having a Communications Agent integrated there- 
with. 

An application source acting on the database is 
also shown as being operatively connected to the 
Primary Database, although such sources may be 
operatively connected to any of the Backup 
Databases. Such applications may be, for example, 
in the form of an updated process or process 
control information which has been provided by 
external input devices or sensors, recorded pro- 
cess variables or any other information relevant to 
the operation being monitored or controlled by the 
network system. 

Each database runs on its own computer with 
the communication agent being a resident 
database package which is also run on each com- 
puter. This communications agent package, as de- 
scribed in fully below, provides communications 
between the databases. By way of overview, when- 
ever an application program (such as a database 
shall) cause a modification to the primary database, 
a message is sent from the database to the local 
communications agent. The communications agent 
thereby in turn forwards that message to the re- 
mote communication agent, in this case the com- 
munication agent resident with the backup 
database. The remote communication agent there- 
by upon receipt of this message performs that 
same operation on the backup database. 

In the preferred embodiment of the present 
invention, communications is in both directions as 
is normally the case with control system networks. 
Therefore, should a malfunction occur in the pri- 
mary database or in the primary database's com- 
puter, the backup database can take over until the 
primary is functioning again. Therefore, the former 
backup is now in the role of primary and can store 
all database modifications for later transmittal to the 
former primary. In this fashion, it is not necessary 
for applications interacting with the network to be 
postponed or delayed until the primary system is 
functioning. 

Two kinds of failures are detected and acted 
on by the present invention; database operation 
failure and network failure. When a database opera- 
tion fails on the primary computer, the primary 
computer's database logs an error. The result is 
that this shadowing is effectively ceased since the 
operation failed and was not performed. However, if 
a database operation should fail during a shadowed 
transaction (that is, where database exchanges are 
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actually taking place) the transaction is generally 
rolled back which in turn causes the corresponding 
transaction on the backup computer to also be 
rolled back. Accordingly, the failed operation (up- 

5 date, delete or insert) is itself not shadowed. 

Should a database operation fail on the backup 
computer it is automatically logged on the backup. 
Since, during normal operation it is common to 
expect that the user is not generally paying atten- 

io tion to the backup, a message is automatically sent 
to the primary computer so that the failure will also 
be reported to the primary computer. This there- 
fore allows users or other programs on the primary 
computer to decide what to do in a predetermined 

75 fashion. Depending upon what is desired by the 
user or the resident programs, it is therefore possi- 
ble that the two databases will no longer be syn- 
chronized. In any event however, the database 
operation failure will have been at least noted. 

20 The second type of failure, network failure 
when detected on the primary computer automati- 
cally causes the connection between the primary 
and backup database to be shutdown. The primary 
computer thereafter waits for a re-connection with 

25 the backup. Accordingly, any database operations 
that come in during this time are queued for later 
transmission to the backup. Therefore when com- 
munications are reestablished, transactions that 
were in progress are resent, followed by the men- 

30 tioned queued pending operations. 

Should the backup computer detect a failure of 
the network, the backup computer automatically 
rolls back any transactions in progress to avoid 
keeping any files/tables locked on the backup com- 

35 puter. The main reason for this is that when com- 
munications is reestablished, it is highly unlikely 
that any corresponding transactions will remain in 
progress with the result that there would be no 
convenient way to tell the backup computer to 

40 unlock the files/tables. Thereafter, when commu- 
nications are reestablished, the backup computer 
goes back to a waiting state for database shadow 
messages. This automatically causes the primary 
computer to resend any transactions that were in 

45 progress prior to the failure with the result that 
synchronization is accomplished. 

Referring now to figures 2 and 3 there is shown 
state flow-chart diagrams of the primary and bac- 
kup communication agents respectively. It is to be 

50 understood that in the preferred embodiment of the 
present invention, the operations are performed in 
the sequence and manner as shown although the 
order of some steps and the like may be changed 
without departing from the spirit and scope of the 

55 present invention. 

The primary and backup state diagrams are 
shown for the communications agent portion of the 
present invention. It should be noted that the 
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"START" arrow of each of state diagrams repre- 
sents start up of the communications agents at 
boot-up of the control system computers. As can 
be seen with the primary and backup state dia- 
grams, a connection is initially accomplished be- 
tween the backup and primary over the network. 
This connection of course checks for failure con- 
ditions. Should a failure condition be detected or 
exist, the sequence is reinitiated. Additionally, with 
respect to the primary communication agent shown 
in figure 2, a failure at any point of actual transmis- 
sion of the database data results in the re-initiation 
of a connection to the backup over the network. 

As can be seen in figure 2, database oper- 
ations are sent to the backup database with ac- 
knowledgments sent back to the primary database. 
This type of handshake is readily known and avail- 
able to one skilled in the art and ensures the 
existence and integrity of successful communica- 
tion. 

It is recognized that in database systems as 
envisioned by the present invention, two types of 
changes to the database are generally accom- 
plished. These changes are in the form of an 
atomic operation or a transaction operation. A 
transaction operation is one in which particular files 
or portions of the database are locked out to exter- 
nal changes unless and until the file is unlocked. 
This type of operation is generally done when 
extensive or substantial changes are being made to 
the database. Conversely, an atomic operation is 
generally one which is automatic, and relatively 
minor in breadth. In any event, the success of this 
transmission is again checked to ensure its integ- 
rity. 

With respect to figure 3 it can be readily seen 
how the communication agent receives and pro- 
cesses the information from the primary database. 
Of particular import is its operation during and just 
after failure. Accordingly, in the event of commu- 
nications failure, its previously mentioned roll back 
of any transactions in progress takes place where- 
by the new information or data is ignored and the 
integrity of the database is in effect rolled back to 
just as it was prior to the failure. In this manner, the 
backup database can reinitiate or continue from a 
known correct point, thereby enabling it to operate 
or act as a primary database for backing up the 
formerly primary database. 

Accordingly, the backup communications are 
synchronized to the primary without any manual 
initialization or reinputing of any data. Further, 
since the communication link is a two-way path, 
complete bi-directional database synchronization is 
accomplished. 

It is to be understood that the present invention 
may be modified without departing in spirit and 
scope thereof and that its breadth not be limited by 



the specific embodiments but rather only limited by 
the claims appended hereto. 

Claims 

5 

1. A redundant network database system, com- 
prising: 

a first computer having a means for storing 
a primary database and at least one second 
70 computer, having a means for storing a backup 

database; 

Communication link means for connecting and 
operatively interconnectable with said first 
computer and said at least one second com- 

75 puter; 

first means disposed in said first computer for 
sensing a change to said primary database 
and second means in said at least one second 
computer for sensing a change in said backup 

20 database, said first means and said second 

means producing an indication thereof of a 
change in the respective databases; and 
communication agent means disposed in said 
first computer and in said at least one second 

25 computer for sensing the indication produced 

by said first means and said second means, 
whereby any changes to said primary 
database are communicated to said backup 
database. 

30 

2. A device according to claim 1 wherein said 
communication link is bidirectional such that 
any changes to said backup database are 
automatically transmitted to said primary 

35 database. 

3. A device according to claim 1 wherein commu- 
nication link failures detected by said first com- 
puter are automatically transmitted to said at 

40 least one second computer and vice versa. 

4. A method for automatic redundant network 
database management having at least two con- 
trol system computers, a primary computer 

45 and a backup computer each of which has a 

database, said computers interconnected in a 
network, comprising the steps of: 

A. Initiating communication between said 

computers; 

50 B. Detecting a change in the databases 

associated with said computers; and 
C. automatically updating the database of 
each previously unaltered database with the 
changes made to the said altered database. 

55 

5. A method according to claim 4 comprising the 
additional step of: 
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D. logging an error condition in the primary 
computers database upon detecting a fail- 
ure of a primary database operation. 



6. A method according to claim 5 comprising the 5 
additional step of: 

D. rolling back the change to the primary 
computer database upon detection of a pri- 
mary computer database operation. 

w 

7. A method according to claim 4 comprising the 
additional step of: 

D. transmitting am error condition from said 
backup database computer to said primary 
computer database upon said backup com- 15 
puter detecting a database operation error. 



8. A method according to claim 4 comprising the 
additional step of: 

D. said primary computer discontinuing the 20 
communication between said computers 
upon said primary computer detecting a fail- 
ure in said network. 

9. A device according to claim 8 comprising the 25 
additional step of: 

E. queuing in said primary computer 
database changes to the primary computer 
upon failure of the network; and 

F. transmitting said queued database in- 30 
formation to said backup computer 
database upon reestablishing of communi- 
cations in said network between said pri- 
mary computer and said secondary com- 
puter. 35 



10. A method according to claim 4 comprising the 
additional step of: 

D. rolling back any transactions in progress 
in said backup computer database upon 40 
said backup computer database detecting a 
failure in the network. 



45 



50 
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